DevOps Stack Exchange is a question and answer site for software engineers working on automated testing, continuous delivery, service integration and monitoring, and building SDLC infrastructure. Join them; it only takes a minute:

I have various Jenkins agents images and I am trying to add automation to it.

I have a base java image called agent-base and those who inherit from that one. Eg: agent-ansible, agent-terraform and so on. In some case, I even have a 3rd level.

I have many unanswered questions in my head so I will just throw them in here.

What would be the best way to update the child images when a parent is updated? Downstream pipelines perhaps?
Or should I keep all the Dockerfiles in a single repository and have a script that know the images hierarchy?
More importantly, how should I tag (version) my child images? Should it contain my parents version too? In the tag itself or as labels.

There is a good practice called multistage build, in which you have one Dockerfile containing various image definitions that depend from one another, this helps you keep all your images updated with the latest changes and copy artifacts from one to another; this also helps reducing the image size if done right.
A simple example is like the following:

In this example, in the first image you compile a go example application using the golang official image and then, using alpine to keep the size of the image small, you copy the executable to a new image and execute it.
This way you can keep your containers in one file and build all at the same time or you can build just a target stage:

docker build --target builder -t somehub/sometag:latest .

You can even use remote images as stages:

COPY --from=nginx:latest /etc/nginx/nginx.conf /nginx.conf

If you need anymore information regarding Docker multi-stage builds you can find it in the following link.